Running a website in the early years of the web was a scary business. The web was an evolving medium, and people were finding new uses for it almost every day. From book stores to online auctions, the web was an expanding universe of new possibilities.

As the web evolved, so too did the knowledge of its inherent security vulnerabilities. Clever tricks that were played on one site could be copied on literally hundreds of other sites. It was a normal sight to log in to a website to find nothing working because someone had breached its defences and deleted its database. Lessons in web security in those days were hard-earned.

Web attacks explode these days as security comes to the front of the stage. We’ve compiled over 23 Node.js security best practices (+40 other generic security practices) from all top-ranked articles around the globe. The work here is part of our Node.js best practices GitHub repository which contains more than 80 Node.js practices. Note: Many items have a read more link to an elaboration on the topic with code example and other useful information.

If you feel like Chrome's been using more RAM on the desktop client since the v67 release a month back, good news: you're not going crazy! Bad news: it definitely is using more RAM (again, on the desktop).

That's because of an advanced new security feature the Chromium team has rolled into the latest version of Google's infamously memory-hungry browser, known as Site Isolation. I'll spare you the technical details, but the short of it is that because the growing number of memory leak vulnerabilities being exposed as part of the Spectre and Meltdown flaws, the Chrome team has decided to enable Site Isolation by default in Chrome on the desktop as of version 67.

Today W3C releases HTML 5.2. This is the second revision of HTML5, following last year’s HTML 5.1 Recommendation. In 2014 we expressed a goal to produce a revision roughly every year; HTML 5.2 is a continuation of that commitment.

This Recommendation like its predecessor provides an updated stable guide to what is HTML. In the past year there has been a significant cleanup of the specification. We have introduced some new features, and removed things that are no longer part of the modern Web Platform, or that never achieved broad interoperability. As always we have also fixed bugs in the specification, making sure it adapts to the changing reality of the Web.

Security researchers have recently uncovered security issues known as Meltdown and Spectre. These issues apply to all modern processors and allow attackers to gain read access to parts of memory that were meant to be secret. To initiate a Spectre- or Meltdown-based attack, the attacker must be able to run code on the victim’s processor. WebKit is affected because in order to render modern web sites, any web JavaScript engine must allow untrusted JavaScript code to run on the user’s processor. Spectre impacts WebKit directly. Meltdown impacts WebKit because WebKit’s security properties must first be bypassed (via Spectre) before WebKit can be used to mount a Meltdown attack.

In the previous two years we covered best practices for writing and operating Node.js applications (read the 2016 edition & 2017 edition). Another year has passed, so it’s time to revisit the topic of becoming a better developer!

In this article, we collected a few tips that we think Node.js developers should follow in 2018. Feel free to pick some development related New Year's resolutions!

Async - await landed in Node.js 8 with a boom. It changed how we handle async events and simplified previously mind-boggling code bases. If you are not yet using async - await read our introductory blog post.

Last month, we made it easier for you to keep track of the projects your code depends on with the dependency graph, currently supported in Javascript and Ruby. Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.

How to start using security alerts

Whether your projects are private or public, security alerts get vital vulnerability information to the right people on your team.

So this is why it’s not a good idea for developers to write their own custom CMS — unless, that is; they want to become a CMS vendor too.

But that’s easy for me to say. I’m not the one faced with multiple frustrations and finding many reasons why a custom CMS would be the way to go.

So let’s take the main reasons in turn and see why they are obsolete.

When you talk to front-end developers, their #1 complaint about CMS is that it messes up their HTML code and makes them look for workarounds.

But that’s over: headless CMS gives you absolute freedom and it has a zero footprint in the resulting HTML code. All you need to do is call its REST API using your favorite programming language to retrieve the content from the repository.

Whether you’re working on an open source project or building a software company, chances are you can simplify your work with GitHub Apps. In May, we launched GitHub Marketplace—a place where you can easily discover, purchase, and integrate new tools that customize your workflow. Today, we’re launching seven new apps in Marketplace and four new categories: Dependency Management, Localization, Security, and Time Tracking.

Code quality, Code review

Better Code Hub provides development teams with immediate, relevant feedback on code quality. It checks a code base against ten guidelines for maintainable software, delivering actionable recommendations and helping your team get to a shared definition of done. A score of ten out of ten indicates you’re performing among top development teams within the industry.

Now you can use multiple levels of nested teams to reflect your group or company's hierarchy within your GitHub organization, making your organization's permissions structure clearer and easier to manage.

Child teams inherit their parent's access permissions, so repository permissions and @mentioning among nested teams work from top to bottom. If your team structure is Employees > Engineering > Application Engineering > Identity, granting Engineering write access to a repository means Application Engineering and Identity also get that access. And if you @mention the Identity Team or any other team at the bottom of the organization hierarchy, they're they only ones who will receive a notification.

Developing secure, robust web applications in the cloud is hard, very hard. If you think it is easy, you are either a higher form of life or you have a painful awakening ahead of you.

If you have drunk the MVP cool-aid and believe that you can create a product in one month that is both valuable and secure — think twice before you launch your “proto-product”. After you review the checklist below, acknowledge that you are skipping many of these critical security issues. At the very minimum, be honest with your potential users and let them know that you don’t have a complete product yet and are offering a prototype without full security.

Needless to say, most of websites on-line are suffered from various type of bugs, which might eventually lead to vulnerabilities. Why would this happen so often? Many factors can be involved, including misconfiguration, shortage of engineers' security skills, and etc. Therefore, here is the curated list of Web Security materials and resources for learning the cutting edge penetrating techniques.

🌈 Want to strengthen your penetration skills?I would recommend to play some awesome-ctfs.

ContentsForums

Drops (backup) - Drops was known as a famous knowledge base for hacking technology.

GitHub - google/tamperchrome: Tamper Chrome is a Chrome extension that allows you to modify HTTP requests on the fly and aid on web security testing. Tamper Chrome works across all operating systems (including Chrome OS).

Tamper Chrome is a Chrome extension that allows you to modify HTTP requests on the fly and aid on web security testing. Tamper Chrome works across all operating systems (including Chrome OS).

How to open Tamper Chrome?How to use Tamper Chrome?

Tamper Chrome has 6 different tools which do slightly different things as described below. You have to individually activate each tool.

To do so, simply click on the checkbox next to the tool's name, and this will mark the tool as active.

In the following section we explain how to use each tool.

This tool allows you to either block or redirect a request from the browser, for example, if a website is requesting a minified version of jQuery, you can redirect it to the unminified version of jQuery.

Web applications, be they thin websites or thick single-page apps, are notorious targets for cyber-attacks. In 2016, approximately 40% of data breaches originated from attacks on web apps — the leading attack pattern. Indeed, these days, understanding cyber-security is not a luxury but rather a necessity for web developers, especially for developers who build consumer-facing applications.

HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. In this article, we’ll show how web developers can use HTTP headers to build secure apps. While the code examples are for Node.js, setting HTTP response headers is supported across all major server-side-rendering platforms and is typically simple to set up.

Web applications, be they thin websites or thick single-page apps, are notorious targets for cyber-attacks. In 2016, approximately 40% of data breaches originated from attacks on web apps — the leading attack pattern. Indeed, these days, understanding cyber-security is not a luxury but rather a necessity for web developers, especially for developers who build consumer-facing applications.

HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. In this article, we’ll show how web developers can use HTTP headers to build secure apps. While the code examples are for Node.js, setting HTTP response headers is supported across all major server-side-rendering platforms and is typically simple to set up.

More from this author

This made me sit up and take notice. The libraries these researchers were checking for were 72 of the most popular open-source projects out there — libraries like Angular and jQuery that we all use every day. I’d never really stopped to think whether an outdated version of jQuery could present a serious security threat. And I had (almost) certainly never gone back to update an old version of jQuery on a website I had made. Was this something I should have been doing?

The Stanford Javascript Crypto Library (hosted here on GitHub) is a project by the Stanford Computer Security Lab to build a secure, powerful, fast, small, easy-to-use, cross-browser library for cryptography in Javascript.

SJCL is easy to use: simply run sjcl.encrypt("password", "data") to encrypt data, or sjcl.decrypt("password", "encrypted-data") to decrypt it. For users with more complex security requirements, there is a much more powerful API, described in the documentation and illustrated in this demo page.

SJCL is small but powerful. The minified version of the library is under 6.4KB compressed, and yet it posts impressive speed results. (TODO: put up a benchmarks page.)